cobaltstrike | 31b4900742c7817b1772984763d0a05d4bd4f5c9580f72ba00a89a84cfbb3424

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

76220fbe02249ab34dab933ea8f666f1
SHA1

bdcfa4a9484636344109ffd0a96734fa62db6a55
SHA256

31b4900742c7817b1772984763d0a05d4bd4f5c9580f72ba00a89a84cfbb3424
SHA512

817b3f80181d7b612eded708845e137bd6a9d3b16716537b37a6bc20a9db7cc3ea06ac55127f89f09053e6171ef5878a22c06172737be92a6aa8e519c18ec289
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU6:Q+856utgpPF8u/76

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\dPBjinJ.exe	cobalt_reflective_dll
C:\Windows\System\MvVRqaw.exe	cobalt_reflective_dll
C:\Windows\System\pjSisze.exe	cobalt_reflective_dll
C:\Windows\System\jWzHtWY.exe	cobalt_reflective_dll
C:\Windows\System\qNZUzVH.exe	cobalt_reflective_dll
C:\Windows\System\JcfxDSR.exe	cobalt_reflective_dll
C:\Windows\System\iFMJYAB.exe	cobalt_reflective_dll
C:\Windows\System\HCOkrQh.exe	cobalt_reflective_dll
C:\Windows\System\ZRXPWzA.exe	cobalt_reflective_dll
C:\Windows\System\KPzbgFJ.exe	cobalt_reflective_dll
C:\Windows\System\mqbAmsP.exe	cobalt_reflective_dll
C:\Windows\System\gpZnjdO.exe	cobalt_reflective_dll
C:\Windows\System\tLoqfqO.exe	cobalt_reflective_dll
C:\Windows\System\hyLiplr.exe	cobalt_reflective_dll
C:\Windows\System\FSufaEp.exe	cobalt_reflective_dll
C:\Windows\System\GPJtLrX.exe	cobalt_reflective_dll
C:\Windows\System\zAqhync.exe	cobalt_reflective_dll
C:\Windows\System\mKkYyVF.exe	cobalt_reflective_dll
C:\Windows\System\pmUkfSZ.exe	cobalt_reflective_dll
C:\Windows\System\lzOYTyo.exe	cobalt_reflective_dll
C:\Windows\System\OStnhog.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3100-0-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp	xmrig
C:\Windows\System\dPBjinJ.exe	xmrig
behavioral2/memory/4220-8-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp	xmrig
C:\Windows\System\MvVRqaw.exe	xmrig
C:\Windows\System\pjSisze.exe	xmrig
C:\Windows\System\jWzHtWY.exe	xmrig
behavioral2/memory/3212-22-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp	xmrig
behavioral2/memory/3056-28-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp	xmrig
C:\Windows\System\qNZUzVH.exe	xmrig
C:\Windows\System\JcfxDSR.exe	xmrig
C:\Windows\System\iFMJYAB.exe	xmrig
C:\Windows\System\HCOkrQh.exe	xmrig
C:\Windows\System\ZRXPWzA.exe	xmrig
C:\Windows\System\KPzbgFJ.exe	xmrig
C:\Windows\System\mqbAmsP.exe	xmrig
C:\Windows\System\gpZnjdO.exe	xmrig
C:\Windows\System\tLoqfqO.exe	xmrig
C:\Windows\System\hyLiplr.exe	xmrig
C:\Windows\System\FSufaEp.exe	xmrig
C:\Windows\System\GPJtLrX.exe	xmrig
C:\Windows\System\zAqhync.exe	xmrig
C:\Windows\System\mKkYyVF.exe	xmrig
C:\Windows\System\pmUkfSZ.exe	xmrig
C:\Windows\System\lzOYTyo.exe	xmrig
C:\Windows\System\OStnhog.exe	xmrig
behavioral2/memory/4184-19-0x00007FF631F40000-0x00007FF632294000-memory.dmp	xmrig
behavioral2/memory/3924-111-0x00007FF731110000-0x00007FF731464000-memory.dmp	xmrig
behavioral2/memory/3880-112-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp	xmrig
behavioral2/memory/5112-113-0x00007FF769520000-0x00007FF769874000-memory.dmp	xmrig
behavioral2/memory/3184-115-0x00007FF760540000-0x00007FF760894000-memory.dmp	xmrig
behavioral2/memory/2600-114-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp	xmrig
behavioral2/memory/4980-117-0x00007FF787290000-0x00007FF7875E4000-memory.dmp	xmrig
behavioral2/memory/4772-116-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp	xmrig
behavioral2/memory/2248-119-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp	xmrig
behavioral2/memory/824-118-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp	xmrig
behavioral2/memory/5056-121-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp	xmrig
behavioral2/memory/3592-123-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp	xmrig
behavioral2/memory/4976-125-0x00007FF656A30000-0x00007FF656D84000-memory.dmp	xmrig
behavioral2/memory/3584-127-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp	xmrig
behavioral2/memory/4316-126-0x00007FF778A40000-0x00007FF778D94000-memory.dmp	xmrig
behavioral2/memory/3008-124-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp	xmrig
behavioral2/memory/2476-122-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp	xmrig
behavioral2/memory/4840-120-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp	xmrig
behavioral2/memory/3100-128-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp	xmrig
behavioral2/memory/4220-129-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp	xmrig
behavioral2/memory/4184-130-0x00007FF631F40000-0x00007FF632294000-memory.dmp	xmrig
behavioral2/memory/3056-131-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp	xmrig
behavioral2/memory/4220-132-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp	xmrig
behavioral2/memory/4184-133-0x00007FF631F40000-0x00007FF632294000-memory.dmp	xmrig
behavioral2/memory/3212-134-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp	xmrig
behavioral2/memory/3056-135-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp	xmrig
behavioral2/memory/3924-136-0x00007FF731110000-0x00007FF731464000-memory.dmp	xmrig
behavioral2/memory/5112-139-0x00007FF769520000-0x00007FF769874000-memory.dmp	xmrig
behavioral2/memory/2600-138-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp	xmrig
behavioral2/memory/3184-137-0x00007FF760540000-0x00007FF760894000-memory.dmp	xmrig
behavioral2/memory/3592-145-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp	xmrig
behavioral2/memory/4316-150-0x00007FF778A40000-0x00007FF778D94000-memory.dmp	xmrig
behavioral2/memory/4976-151-0x00007FF656A30000-0x00007FF656D84000-memory.dmp	xmrig
behavioral2/memory/3008-149-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp	xmrig
behavioral2/memory/824-148-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp	xmrig
behavioral2/memory/2476-147-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp	xmrig
behavioral2/memory/2248-146-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp	xmrig
behavioral2/memory/4980-144-0x00007FF787290000-0x00007FF7875E4000-memory.dmp	xmrig
behavioral2/memory/4840-143-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

dPBjinJ.exeMvVRqaw.exepjSisze.exejWzHtWY.exeOStnhog.exelzOYTyo.exepmUkfSZ.exeqNZUzVH.exeJcfxDSR.exemKkYyVF.exezAqhync.exeiFMJYAB.exeGPJtLrX.exeFSufaEp.exehyLiplr.exetLoqfqO.exeHCOkrQh.exegpZnjdO.exemqbAmsP.exeKPzbgFJ.exeZRXPWzA.exe

pid	process
4220	dPBjinJ.exe
4184	MvVRqaw.exe
3212	pjSisze.exe
3056	jWzHtWY.exe
3924	OStnhog.exe
3880	lzOYTyo.exe
5112	pmUkfSZ.exe
2600	qNZUzVH.exe
3184	JcfxDSR.exe
4772	mKkYyVF.exe
4980	zAqhync.exe
824	iFMJYAB.exe
2248	GPJtLrX.exe
4840	FSufaEp.exe
5056	hyLiplr.exe
2476	tLoqfqO.exe
3592	HCOkrQh.exe
3008	gpZnjdO.exe
4976	mqbAmsP.exe
4316	KPzbgFJ.exe
3584	ZRXPWzA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3100-0-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp	upx
C:\Windows\System\dPBjinJ.exe	upx
behavioral2/memory/4220-8-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp	upx
C:\Windows\System\MvVRqaw.exe	upx
C:\Windows\System\pjSisze.exe	upx
C:\Windows\System\jWzHtWY.exe	upx
behavioral2/memory/3212-22-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp	upx
behavioral2/memory/3056-28-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp	upx
C:\Windows\System\qNZUzVH.exe	upx
C:\Windows\System\JcfxDSR.exe	upx
C:\Windows\System\iFMJYAB.exe	upx
C:\Windows\System\HCOkrQh.exe	upx
C:\Windows\System\ZRXPWzA.exe	upx
C:\Windows\System\KPzbgFJ.exe	upx
C:\Windows\System\mqbAmsP.exe	upx
C:\Windows\System\gpZnjdO.exe	upx
C:\Windows\System\tLoqfqO.exe	upx
C:\Windows\System\hyLiplr.exe	upx
C:\Windows\System\FSufaEp.exe	upx
C:\Windows\System\GPJtLrX.exe	upx
C:\Windows\System\zAqhync.exe	upx
C:\Windows\System\mKkYyVF.exe	upx
C:\Windows\System\pmUkfSZ.exe	upx
C:\Windows\System\lzOYTyo.exe	upx
C:\Windows\System\OStnhog.exe	upx
behavioral2/memory/4184-19-0x00007FF631F40000-0x00007FF632294000-memory.dmp	upx
behavioral2/memory/3924-111-0x00007FF731110000-0x00007FF731464000-memory.dmp	upx
behavioral2/memory/3880-112-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp	upx
behavioral2/memory/5112-113-0x00007FF769520000-0x00007FF769874000-memory.dmp	upx
behavioral2/memory/3184-115-0x00007FF760540000-0x00007FF760894000-memory.dmp	upx
behavioral2/memory/2600-114-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp	upx
behavioral2/memory/4980-117-0x00007FF787290000-0x00007FF7875E4000-memory.dmp	upx
behavioral2/memory/4772-116-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp	upx
behavioral2/memory/2248-119-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp	upx
behavioral2/memory/824-118-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp	upx
behavioral2/memory/5056-121-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp	upx
behavioral2/memory/3592-123-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp	upx
behavioral2/memory/4976-125-0x00007FF656A30000-0x00007FF656D84000-memory.dmp	upx
behavioral2/memory/3584-127-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp	upx
behavioral2/memory/4316-126-0x00007FF778A40000-0x00007FF778D94000-memory.dmp	upx
behavioral2/memory/3008-124-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp	upx
behavioral2/memory/2476-122-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp	upx
behavioral2/memory/4840-120-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp	upx
behavioral2/memory/3100-128-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp	upx
behavioral2/memory/4220-129-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp	upx
behavioral2/memory/4184-130-0x00007FF631F40000-0x00007FF632294000-memory.dmp	upx
behavioral2/memory/3056-131-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp	upx
behavioral2/memory/4220-132-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp	upx
behavioral2/memory/4184-133-0x00007FF631F40000-0x00007FF632294000-memory.dmp	upx
behavioral2/memory/3212-134-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp	upx
behavioral2/memory/3056-135-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp	upx
behavioral2/memory/3924-136-0x00007FF731110000-0x00007FF731464000-memory.dmp	upx
behavioral2/memory/5112-139-0x00007FF769520000-0x00007FF769874000-memory.dmp	upx
behavioral2/memory/2600-138-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp	upx
behavioral2/memory/3184-137-0x00007FF760540000-0x00007FF760894000-memory.dmp	upx
behavioral2/memory/3592-145-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp	upx
behavioral2/memory/4316-150-0x00007FF778A40000-0x00007FF778D94000-memory.dmp	upx
behavioral2/memory/4976-151-0x00007FF656A30000-0x00007FF656D84000-memory.dmp	upx
behavioral2/memory/3008-149-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp	upx
behavioral2/memory/824-148-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp	upx
behavioral2/memory/2476-147-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp	upx
behavioral2/memory/2248-146-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp	upx
behavioral2/memory/4980-144-0x00007FF787290000-0x00007FF7875E4000-memory.dmp	upx
behavioral2/memory/4840-143-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\GPJtLrX.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hyLiplr.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mqbAmsP.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dPBjinJ.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jWzHtWY.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OStnhog.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lzOYTyo.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zAqhync.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qNZUzVH.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iFMJYAB.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FSufaEp.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gpZnjdO.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MvVRqaw.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pjSisze.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pmUkfSZ.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tLoqfqO.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPzbgFJ.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JcfxDSR.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mKkYyVF.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HCOkrQh.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZRXPWzA.exe	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3100 wrote to memory of 4220	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	dPBjinJ.exe
PID 3100 wrote to memory of 4220	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	dPBjinJ.exe
PID 3100 wrote to memory of 4184	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	MvVRqaw.exe
PID 3100 wrote to memory of 4184	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	MvVRqaw.exe
PID 3100 wrote to memory of 3212	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	pjSisze.exe
PID 3100 wrote to memory of 3212	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	pjSisze.exe
PID 3100 wrote to memory of 3056	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	jWzHtWY.exe
PID 3100 wrote to memory of 3056	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	jWzHtWY.exe
PID 3100 wrote to memory of 3924	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	OStnhog.exe
PID 3100 wrote to memory of 3924	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	OStnhog.exe
PID 3100 wrote to memory of 3880	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	lzOYTyo.exe
PID 3100 wrote to memory of 3880	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	lzOYTyo.exe
PID 3100 wrote to memory of 5112	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	pmUkfSZ.exe
PID 3100 wrote to memory of 5112	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	pmUkfSZ.exe
PID 3100 wrote to memory of 2600	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	qNZUzVH.exe
PID 3100 wrote to memory of 2600	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	qNZUzVH.exe
PID 3100 wrote to memory of 3184	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	JcfxDSR.exe
PID 3100 wrote to memory of 3184	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	JcfxDSR.exe
PID 3100 wrote to memory of 4772	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	mKkYyVF.exe
PID 3100 wrote to memory of 4772	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	mKkYyVF.exe
PID 3100 wrote to memory of 4980	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	zAqhync.exe
PID 3100 wrote to memory of 4980	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	zAqhync.exe
PID 3100 wrote to memory of 824	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	iFMJYAB.exe
PID 3100 wrote to memory of 824	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	iFMJYAB.exe
PID 3100 wrote to memory of 2248	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	GPJtLrX.exe
PID 3100 wrote to memory of 2248	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	GPJtLrX.exe
PID 3100 wrote to memory of 4840	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	FSufaEp.exe
PID 3100 wrote to memory of 4840	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	FSufaEp.exe
PID 3100 wrote to memory of 5056	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	hyLiplr.exe
PID 3100 wrote to memory of 5056	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	hyLiplr.exe
PID 3100 wrote to memory of 2476	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	tLoqfqO.exe
PID 3100 wrote to memory of 2476	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	tLoqfqO.exe
PID 3100 wrote to memory of 3592	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	HCOkrQh.exe
PID 3100 wrote to memory of 3592	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	HCOkrQh.exe
PID 3100 wrote to memory of 3008	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	gpZnjdO.exe
PID 3100 wrote to memory of 3008	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	gpZnjdO.exe
PID 3100 wrote to memory of 4976	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	mqbAmsP.exe
PID 3100 wrote to memory of 4976	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	mqbAmsP.exe
PID 3100 wrote to memory of 4316	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	KPzbgFJ.exe
PID 3100 wrote to memory of 4316	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	KPzbgFJ.exe
PID 3100 wrote to memory of 3584	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	ZRXPWzA.exe
PID 3100 wrote to memory of 3584	3100	2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe	ZRXPWzA.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\System\dPBjinJ.exe
C:\Windows\System\dPBjinJ.exe
2⤵
- Executes dropped EXE
PID:4220

C:\Windows\System\MvVRqaw.exe
C:\Windows\System\MvVRqaw.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Windows\System\pjSisze.exe
C:\Windows\System\pjSisze.exe
2⤵
- Executes dropped EXE
PID:3212

C:\Windows\System\jWzHtWY.exe
C:\Windows\System\jWzHtWY.exe
2⤵
- Executes dropped EXE
PID:3056

C:\Windows\System\OStnhog.exe
C:\Windows\System\OStnhog.exe
2⤵
- Executes dropped EXE
PID:3924

C:\Windows\System\lzOYTyo.exe
C:\Windows\System\lzOYTyo.exe
2⤵
- Executes dropped EXE
PID:3880

C:\Windows\System\pmUkfSZ.exe
C:\Windows\System\pmUkfSZ.exe
2⤵
- Executes dropped EXE
PID:5112

C:\Windows\System\qNZUzVH.exe
C:\Windows\System\qNZUzVH.exe
2⤵
- Executes dropped EXE
PID:2600

C:\Windows\System\JcfxDSR.exe
C:\Windows\System\JcfxDSR.exe
2⤵
- Executes dropped EXE
PID:3184

C:\Windows\System\mKkYyVF.exe
C:\Windows\System\mKkYyVF.exe
2⤵
- Executes dropped EXE
PID:4772

C:\Windows\System\zAqhync.exe
C:\Windows\System\zAqhync.exe
2⤵
- Executes dropped EXE
PID:4980

C:\Windows\System\iFMJYAB.exe
C:\Windows\System\iFMJYAB.exe
2⤵
- Executes dropped EXE
PID:824

C:\Windows\System\GPJtLrX.exe
C:\Windows\System\GPJtLrX.exe
2⤵
- Executes dropped EXE
PID:2248

C:\Windows\System\FSufaEp.exe
C:\Windows\System\FSufaEp.exe
2⤵
- Executes dropped EXE
PID:4840

C:\Windows\System\hyLiplr.exe
C:\Windows\System\hyLiplr.exe
2⤵
- Executes dropped EXE
PID:5056

C:\Windows\System\tLoqfqO.exe
C:\Windows\System\tLoqfqO.exe
2⤵
- Executes dropped EXE
PID:2476

C:\Windows\System\HCOkrQh.exe
C:\Windows\System\HCOkrQh.exe
2⤵
- Executes dropped EXE
PID:3592

C:\Windows\System\gpZnjdO.exe
C:\Windows\System\gpZnjdO.exe
2⤵
- Executes dropped EXE
PID:3008

C:\Windows\System\mqbAmsP.exe
C:\Windows\System\mqbAmsP.exe
2⤵
- Executes dropped EXE
PID:4976

C:\Windows\System\KPzbgFJ.exe
C:\Windows\System\KPzbgFJ.exe
2⤵
- Executes dropped EXE
PID:4316

C:\Windows\System\ZRXPWzA.exe
C:\Windows\System\ZRXPWzA.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:2304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FSufaEp.exe
Filesize
5.9MB

MD5
04829796693a4fe9ba67d10a042e1fe6

SHA1
09104e59b481b9c77e85e7e7a843fe8aefb50acc

SHA256
b6c936fd4ae9d9f9484af9848e43f0cdc25b5ee19c269889ead52ace3d7fafa4

SHA512
4dd3af6f2f1cc75e7dd5a02d0383aad62fe992e8d43186eab4cd45409abc5d121639f9659313a3d02933f3c24cdd09af538b6a16bdf7e2ec03c353a11d40012e

Download Submit
C:\Windows\System\GPJtLrX.exe
Filesize
5.9MB

MD5
7d7fd01a061fd5a7e89753c368088b08

SHA1
4502b4ca69fc47ee61419cc59cb3c5394ce487db

SHA256
58a8f52e1eced881312ae32d539f8881698431fc7dd1b1e0f12f59879f5cabf2

SHA512
3712103971807d87a792f078932fea72c5ff47d2861e3650eee9dd24e4beffb66b9e3efd8aad3bb116714fbc542f688c3b8158a7f546a35dcfe4d3796b595759

Download Submit
C:\Windows\System\HCOkrQh.exe
Filesize
5.9MB

MD5
b0eb70b552e9046438fb65e90f84533a

SHA1
7f554df4c34815684b1cfda900025d498715bdb9

SHA256
116a755fa1e68157604a0514b3d80813a3dd9963d64aa33360cd03c4e76c184d

SHA512
ea21bbc6146acdc284618cc781b934f8f51041e35b6720f9953af57c9c19cde734d413463e085b7318969174092cc580ff7529e214a6e44ad991ca4c22e89073

Download Submit
C:\Windows\System\JcfxDSR.exe
Filesize
5.9MB

MD5
8ca6f1b8da065c8ceabcdc558fe27985

SHA1
96bfcc1ca7af2d373fc3bae99b7898fbf65fa74c

SHA256
6000573e4b82db82a8412329bd3f741c7ca0c92ddc96a5d0d12c346a2be546f2

SHA512
81579a6fcb71e33d4616ae5e1eae059b198b9e5bc66a4173ace283e2f5054abc52d10e4ea816e2ba19babec46fb88595faa58b875cecf160e3b086e8ad866133

Download Submit
C:\Windows\System\KPzbgFJ.exe
Filesize
5.9MB

MD5
2a525c3fcf5069268e4866ad4fe0d4d7

SHA1
fbef09c3073aebf0f964cd20abea04c4c21ccf90

SHA256
994820f4d75829ae5be8af697f15e92bb3c6d1c253631b9ad6710b7736fd600e

SHA512
381d0d706a2eee5d2040a1136e7b3af55c94ac1a86416aec4ac55509d6bd535c1b2f2f755adf2e2514286aae2a1aaed7d0cbebb6e0f1cfddb303ad089ff08e04

Download Submit
C:\Windows\System\MvVRqaw.exe
Filesize
5.9MB

MD5
558f3be622ab6913c6b3e9147bb6ae19

SHA1
6d3ed2d1f2f401eb10536df1717b43c0de7ec331

SHA256
44bd2566927fd690a6736888383d9a4960710a10ee00a2a77a763bde6daa1b28

SHA512
e9aa479dafd5a2bac968f68e9f72514d3ce07e82c8a4418ca23037e2c75a80748cef85b471e243ed08a31215e1ec62551c264620d8416d10ace196e649c03d44

Download Submit
C:\Windows\System\OStnhog.exe
Filesize
5.9MB

MD5
9c88bde4cd903853e890dc3ead4f1087

SHA1
366c0114a7412433aaa26313325aa74452f130f8

SHA256
3b6c30785dd1f9deb79b62d3a78884e140f4b7516d55953a71bb38cdb067c127

SHA512
0a1f67a5be5c84e1be24232fc3faca7388ef499da6d119a7ba9479c003a9a49cb3fc8324c590b12ac07f4d96b6b9e3b209e589b272db596863995cf8cff6b9e6

Download Submit
C:\Windows\System\ZRXPWzA.exe
Filesize
5.9MB

MD5
9a3afb221adaad6c7ae9937523be18b0

SHA1
f10bb1b113b32d66be8a6ce33b3dff11586c7f13

SHA256
93f437530613e6bbbbc4b8df5f9aa99a9866973641dddc8f7ef298eebeaa8b36

SHA512
b79cf7d2c9ccf3649e4301ca4bbbbaa3b3758c8b0a7aab29c634c3aceea9306b480d36215310b2ccab2c952b1672be1a3b61dd70d792ccef28de7ea81a471933

Download Submit
C:\Windows\System\dPBjinJ.exe
Filesize
5.9MB

MD5
f0a06c8e5a5f1b84900b6b63ecd41a9d

SHA1
0e5a87db07b57547a510e6975b2a01258183d6da

SHA256
5be0232c00fca70d642503b0d523e618fd4256f382bff07b3329615323c6e26c

SHA512
baeebf8d3afd701914d85f1c9a312234f95134bd289570b9a4fe6ee0ce5f429493560c983bfd9426aca8e80616e419cd893049fe212c4c43ae011f17fc06a895

Download Submit
C:\Windows\System\gpZnjdO.exe
Filesize
5.9MB

MD5
a9ea4f700074a532e8c5d9c3f7cb4b8a

SHA1
17bccee444a4f5293f253a80f78886a7ef548031

SHA256
10170adb7c3c069e4357b7b96881fcff68ceaa3016c92f2e97e3f09fda5da921

SHA512
42fba6c68eb12ddb66786a3b94ef5fc2605bed3aff1ce3b11de3795bc20d350c7ad84b2304decf768ecde23d366c8d28440035082ccc2806fed1d33690dd67bc

Download Submit
C:\Windows\System\hyLiplr.exe
Filesize
5.9MB

MD5
9b80b6af17285620c1acc91ccc691587

SHA1
403d6169040e1e8f414774e4ba963113339a5402

SHA256
5775fc3aefedbc6fc943b6a5d5a2c5074be00435dccea1c71990f5f329a232df

SHA512
3eddd501e76e95968d159ac0fd77b2ea183bc21165724438263d9b9d4b204b37fe32667680e5fe39801f1019ec530f9b0c63fa3f82a4cf8ab319dcc17bd1603b

Download Submit
C:\Windows\System\iFMJYAB.exe
Filesize
5.9MB

MD5
915bc9276f222b8d498f332426e03998

SHA1
e229beadcc5c0dd252f177f08e5589584647bd59

SHA256
7d764e0ce3b2f06abd652c5d628b9730f735367b6f3bbb559eb6b8d070f1b931

SHA512
518532ef02523e734620436a0dc2423185f4a9cd86ca0f3461e2d841e961a91f2102ec3b2dd32aa41187ada97fb983e3c0e96e3449f657374232be80703e6061

Download Submit
C:\Windows\System\jWzHtWY.exe
Filesize
5.9MB

MD5
9a38d01e0b181e0b6079c4b39eb7deb1

SHA1
d8a75c9e6554dd047cca2264eb4d46b46a57f38d

SHA256
f0d5f37dd6b62f4f9873ce70f68494c8855fba71df02f62abcefc260c8a8cf32

SHA512
54061a2bd598cbdb06dc26ef938fdb03bea912dc33a94c74fa403bc62ed2bee53279c8dc8c60da01ee0d4b11bb93f25735f6320db6ee7c129b8c1e3a1b9d3c8f

Download Submit
C:\Windows\System\lzOYTyo.exe
Filesize
5.9MB

MD5
e5f000530419cb3da9e22ff850f62a86

SHA1
c1e01a8a0fe7332101a61e84b40d3b48524de9de

SHA256
29e611ec24b9278365257ac9426bed7ba0b449272abd8c9cc693fd049d5995a3

SHA512
d0ae551e3b564d0b28cf1b655ab2e48c1ba17ce9895bdb792012233b07f79b05275d145eadd2211df95524e562cebf1fc96102955cf5c0f72994b396005770e4

Download Submit
C:\Windows\System\mKkYyVF.exe
Filesize
5.9MB

MD5
36c6e7c7a978e45d320aa67e8f9e042c

SHA1
89dd36abddfee7a4224c943f1714643172c03dd3

SHA256
01eced5d3fee1110d6a6cb10d27ec36235bf12b07352065fd220a7b4f729ac9f

SHA512
9b2915c877d1824e9d48cc8fb4509efc4a7bc2ec3c085a9fbcc00304ca97765dd631ebbcd1f959135ccd99dd85457cf61b71aa54e8b893fbecf4ec9200fbb8b3

Download Submit
C:\Windows\System\mqbAmsP.exe
Filesize
5.9MB

MD5
df08956135d699f4011016d9729e501d

SHA1
ecc27ae449be760126f8a3e1b364da5fca1f25d1

SHA256
949677cf6b0608ae4f163decfe821a47840d1a04512289661f6310d90afbe389

SHA512
4d5e88c556b9de11ece8fcbe7b5880fa2cfcc0bccc2caf4d8827c3428beeaf167cff7f22d8cbd0c6d61bbf4dfc690415b571dc520049b71cfcca28d8e7877e31

Download Submit
C:\Windows\System\pjSisze.exe
Filesize
5.9MB

MD5
b6276dcd064471eb48d753e6557b073e

SHA1
a148c405fd4dc2a7ca555c99f75aa9ac3f7e3641

SHA256
98fe3af1e223d714a2d6d051b33b179b5865a518e0f6d7307ec5721681a04423

SHA512
06abc93ca5c367a9e4860f28f66c20dfc7700d411a5e858f0bd40d78c03d99e9e8bd7f15dea151b0568b8b2e367727fc2e4385ea90edb7f382c111401320ef54

Download Submit
C:\Windows\System\pmUkfSZ.exe
Filesize
5.9MB

MD5
15c77185a20361e32e46bb1ddd0e1182

SHA1
d5b9693fc5a5ab0ee2611968fa7f9a218a4c3903

SHA256
d69a8f42931bee1c90e1f119eb287a2f1d930485c6ec8ffc251d34e3219ab3f1

SHA512
6de4fee1f2b8b4a6e59658f9b8117c190b108ff950795238e3f4c8bf805e53582fce8461a1b995f5ca4e29063d2ad08955ff2a0d7732da47202c5d75e9f31cfb

Download Submit
C:\Windows\System\qNZUzVH.exe
Filesize
5.9MB

MD5
8b6ff434545b856413505cf3c9bf8d1f

SHA1
7a509a2f415fbfa8a63c7607e764019a176574d3

SHA256
88f6cb8bd7e70d95456ec6ac9761720e9169f505f1882e0e3c58ef6317af640c

SHA512
ebdccedcc0be2ae03728a4501ddfbb1fa0458e067d3571ae5ff1573f005a5deff5b936571e9172bff815bb51a9c8e15a25914308b9a3e01a947c4068620f2c27

Download Submit
C:\Windows\System\tLoqfqO.exe
Filesize
5.9MB

MD5
56da738263d4f6ec21b2a3fa8156e449

SHA1
3a5b84a9d5056bb956b95d280abd9f45522a85c3

SHA256
7b554e14634c830efe44dced703c9b03ad4e4230c51e9211d9eb31203389c72f

SHA512
59c8b9c465fbb7b8de6648c0bfa83a5e6d55f516b4a16b94dbc98c907b6f7b8a3c790b3fdb53014d7b3679017c85820ee9a4324f952efdca8893f57e1b9ab44d

Download Submit
C:\Windows\System\zAqhync.exe
Filesize
5.9MB

MD5
3930869b2c530758aac63d3cf8cdf11b

SHA1
6315336a21b35224a2020bc24469bb484c7927bd

SHA256
10c8d2ab251bfe245c505c36ed8f818573287b65858b823c551916eee6d26dcc

SHA512
1940b32f0f53c2192e013ad6b2fd1ad349fd31993948544c99d478174cc57e267d3a0909baf8bfa9fbb5e6fae473adb3bcde2a8f35616a35ac54a9617f4ce128

Download Submit
memory/824-118-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp

Filesize
3.3MB

Download
memory/824-148-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp

Filesize
3.3MB

Download
memory/2248-119-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp

Filesize
3.3MB

Download
memory/2248-146-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp

Filesize
3.3MB

Download
memory/2476-122-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2476-147-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-138-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp

Filesize
3.3MB

Download
memory/2600-114-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp

Filesize
3.3MB

Download
memory/3008-124-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp

Filesize
3.3MB

Download
memory/3008-149-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp

Filesize
3.3MB

Download
memory/3056-28-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp

Filesize
3.3MB

Download
memory/3056-135-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp

Filesize
3.3MB

Download
memory/3056-131-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp

Filesize
3.3MB

Download
memory/3100-1-0x0000023C47720000-0x0000023C47730000-memory.dmp

Filesize
64KB

Download
memory/3100-0-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3100-128-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/3184-137-0x00007FF760540000-0x00007FF760894000-memory.dmp

Filesize
3.3MB

Download
memory/3184-115-0x00007FF760540000-0x00007FF760894000-memory.dmp

Filesize
3.3MB

Download
memory/3212-22-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp

Filesize
3.3MB

Download
memory/3212-134-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp

Filesize
3.3MB

Download
memory/3584-127-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp

Filesize
3.3MB

Download
memory/3584-152-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp

Filesize
3.3MB

Download
memory/3592-145-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp

Filesize
3.3MB

Download
memory/3592-123-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp

Filesize
3.3MB

Download
memory/3880-112-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp

Filesize
3.3MB

Download
memory/3880-140-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp

Filesize
3.3MB

Download
memory/3924-136-0x00007FF731110000-0x00007FF731464000-memory.dmp

Filesize
3.3MB

Download
memory/3924-111-0x00007FF731110000-0x00007FF731464000-memory.dmp

Filesize
3.3MB

Download
memory/4184-130-0x00007FF631F40000-0x00007FF632294000-memory.dmp

Filesize
3.3MB

Download
memory/4184-19-0x00007FF631F40000-0x00007FF632294000-memory.dmp

Filesize
3.3MB

Download
memory/4184-133-0x00007FF631F40000-0x00007FF632294000-memory.dmp

Filesize
3.3MB

Download
memory/4220-8-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp

Filesize
3.3MB

Download
memory/4220-132-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp

Filesize
3.3MB

Download
memory/4220-129-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp

Filesize
3.3MB

Download
memory/4316-150-0x00007FF778A40000-0x00007FF778D94000-memory.dmp

Filesize
3.3MB

Download
memory/4316-126-0x00007FF778A40000-0x00007FF778D94000-memory.dmp

Filesize
3.3MB

Download
memory/4772-142-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp

Filesize
3.3MB

Download
memory/4772-116-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-120-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-143-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-151-0x00007FF656A30000-0x00007FF656D84000-memory.dmp

Filesize
3.3MB

Download
memory/4976-125-0x00007FF656A30000-0x00007FF656D84000-memory.dmp

Filesize
3.3MB

Download
memory/4980-144-0x00007FF787290000-0x00007FF7875E4000-memory.dmp

Filesize
3.3MB

Download
memory/4980-117-0x00007FF787290000-0x00007FF7875E4000-memory.dmp

Filesize
3.3MB

Download
memory/5056-121-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp

Filesize
3.3MB

Download
memory/5056-141-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-139-0x00007FF769520000-0x00007FF769874000-memory.dmp

Filesize
3.3MB

Download
memory/5112-113-0x00007FF769520000-0x00007FF769874000-memory.dmp

Filesize
3.3MB

Download